Encounter-based worms: Analysis and defense Sapon Tanachaiwiwat a, * , Ahmed Helmy b a Ming Hsieh Department of Electrical Engineering, University of Southern California, Los Angeles, CA. 90089, United States b Department of Computer and Information Science and Engineering, University of Florida, FL 32611, United States article info Article history: Received 13 September 2008 Accepted 9 February 2009 Available online xxxx Keywords: Worms Encounter-based worms Delay-tolerant networks abstract An encounter-based network is a frequently disconnected wireless ad hoc network requir- ing immediate neighbors to store and forward aggregated data for information dissemina- tions. Using traditional approaches such as gateways or firewalls to deter worm propagation in encounter-based networks is inappropriate. We propose a worm interaction approach that relies upon automated beneficial worm generation to alleviate problems of worm propagations in such networks. To understand the dynamics of worm interactions and their performance, we mathematically model worm interactions based on major worm interaction factors, including worm interaction types, network characteristics, and node characteristics using ordinary differential equations and analyze their effects on our pro- posed metrics. We validate our proposed model using extensive synthetic and trace-driven simulations. We find that all worm interaction factors significantly affect the pattern of worm propagations. For example, immunization linearly decreases the infection of suscep- tible nodes, while on–off behavior only impacts the duration of infection. Using realistic mobile network measurements, we find that encounters are ‘‘bursty”, multi-group, and non-uniform. The trends from the trace-driven simulations are consistent with the model, in general. Immunization and timely deployment seem to be most effective in countering worm attacks in such scenarios, while cooperation may help in a specific case. These find- ings provide insight that we hope would aid in the development of counter-worm proto- cols in future encounter-based networks. Ó 2009 Elsevier B.V. All rights reserved. 1. Introduction An encounter-based network is a frequently discon- nected wireless ad hoc network requiring close proximity of neighbors, i.e., encounter, to disseminate information. Hence, we call this the ‘‘encounter-based network”, which can be considered as a terrestrial delay-and-disruptive-tol- erant network. It is an emerging technology that is suitable for applications in highly dynamic wireless networks. Most previous work on worm propagation has focused on modeling a single worm type in well-connected wired networks. However, many new worms target wireless mo- bile phones. The characteristics of worms in mobile net- works are different from random-scan network worms. Worm propagations in random-scan networks are mainly limited by the network bandwidth, link delay and their scanning strategies [8]. Worm propagations in mobile net- works depend heavily on user encounter patterns. Many of those worms rely on Bluetooth to broadcast their replica- tions to vulnerable phones, e.g., Cabir and ComWar. M [10,13]. Since Bluetooth radios have very short ranges of around 10–100 m, the worms need neighbors in close proximity to spread their replications. Hence, we call these ‘‘encounter-based worms”. This worm spreading pattern is very similar to the spread of packet replications in delay- tolerant networks [15,17], i.e., flooding the copies of messages to all close neighbors. An earlier study of encounter-based networks actually used the term ‘‘epi- demic routing” [15] to describe the similarity of this routing protocol to disease spreading. Using traditional approaches 1570-8705/$ - see front matter Ó 2009 Elsevier B.V. All rights reserved. doi:10.1016/j.adhoc.2009.02.004 * Corresponding author. Tel.: +1 352 2142820. E-mail addresses: [email protected](S. Tanachaiwiwat), helmy@ufl. edu (A. Helmy). Ad Hoc Networks xxx (2009) xxx–xxx Contents lists available at ScienceDirect Ad Hoc Networks journal homepage: www.elsevier.com/locate/adhoc ARTICLE IN PRESS Please cite this article in press as: S. Tanachaiwiwat, A. Helmy, Encounter-based worms: Analysis and defense, Ad Hoc Netw. (2009), doi:10.1016/j.adhoc.2009.02.004
Transcript
Encounter-based worms: Analysis and defense
Sapon Tanachaiwiwat a,*, Ahmed Helmy b
aMing Hsieh Department of Electrical Engineering, University of Southern California, Los Angeles, CA. 90089, United StatesbDepartment of Computer and Information Science and Engineering, University of Florida, FL 32611, United States
a r t i c l e i n f o
Article history:Received 13 September 2008Accepted 9 February 2009Available online xxxx
An encounter-based network is a frequently disconnected wireless ad hoc network requir-ing immediate neighbors to store and forward aggregated data for information dissemina-tions. Using traditional approaches such as gateways or firewalls to deter wormpropagation in encounter-based networks is inappropriate. We propose a worm interactionapproach that relies upon automated beneficial worm generation to alleviate problems ofworm propagations in such networks. To understand the dynamics of worm interactionsand their performance, we mathematically model worm interactions based on major worminteraction factors, including worm interaction types, network characteristics, and nodecharacteristics using ordinary differential equations and analyze their effects on our pro-posed metrics. We validate our proposed model using extensive synthetic and trace-drivensimulations. We find that all worm interaction factors significantly affect the pattern ofworm propagations. For example, immunization linearly decreases the infection of suscep-tible nodes, while on–off behavior only impacts the duration of infection. Using realisticmobile network measurements, we find that encounters are ‘‘bursty”, multi-group, andnon-uniform. The trends from the trace-driven simulations are consistent with the model,in general. Immunization and timely deployment seem to be most effective in counteringworm attacks in such scenarios, while cooperation may help in a specific case. These find-ings provide insight that we hope would aid in the development of counter-worm proto-cols in future encounter-based networks.
! 2009 Elsevier B.V. All rights reserved.
1. Introduction
An encounter-based network is a frequently discon-nected wireless ad hoc network requiring close proximityof neighbors, i.e., encounter, to disseminate information.Hence, we call this the ‘‘encounter-based network”, whichcan be considered as a terrestrial delay-and-disruptive-tol-erant network. It is an emerging technology that is suitablefor applications in highly dynamic wireless networks.
Most previous work on worm propagation has focusedon modeling a single worm type in well-connected wirednetworks. However, many new worms target wireless mo-bile phones. The characteristics of worms in mobile net-
works are different from random-scan network worms.Worm propagations in random-scan networks are mainlylimited by the network bandwidth, link delay and theirscanning strategies [8]. Worm propagations in mobile net-works depend heavily on user encounter patterns. Many ofthose worms rely on Bluetooth to broadcast their replica-tions to vulnerable phones, e.g., Cabir and ComWar. M[10,13]. Since Bluetooth radios have very short ranges ofaround 10–100 m, the worms need neighbors in closeproximity to spread their replications. Hence, we call these‘‘encounter-based worms”. This worm spreading pattern isvery similar to the spread of packet replications in delay-tolerant networks [15,17], i.e., flooding the copies ofmessages to all close neighbors. An earlier study ofencounter-based networks actually used the term ‘‘epi-demic routing” [15] to describe the similarity of this routingprotocol to disease spreading. Using traditional approaches
1570-8705/$ - see front matter ! 2009 Elsevier B.V. All rights reserved.doi:10.1016/j.adhoc.2009.02.004
Please cite this article in press as: S. Tanachaiwiwat, A. Helmy, Encounter-based worms: Analysis and defense, Ad HocNetw. (2009), doi:10.1016/j.adhoc.2009.02.004
such as gateways or firewalls to deter worm propagation inencounter-based networks is inappropriate. Because thistype of network is highly dynamic and has no specificboundary, a fully distributed counter-worm mechanismis needed. We propose to investigate a worm interactionapproach that relies upon automated beneficial worm gen-eration [1]. This approach uses an automatically generatedbeneficial worm to terminate malicious worms and patchvulnerable nodes.
Our work is motivated by wars of Internet worms suchas the war between NetSky, Bagle, and MyDoom [13]. Thisscenario is described as ‘‘worm interactions” in which oneor multiple types of worm terminates or patches othertypes of worms.
In this paper, we mathematically model worm interac-tions based on three major worm interaction factors,including worm interaction types [11], network character-istics, and node characteristics [12]. Worm interactiontypes in our model are aggressive one-sided, conservativeone-sided, or aggressive two-sided. The variation of theseworm interaction types can also be created from ourmodel.
There are many important node characteristics to beconsidered, but we focus only on a fundamental subsetincluding cooperation, immunization, on–off behavior,and delay. We shall show that these are key node charac-teristics for worm propagation in encounter-based net-works. Other characteristics, such as trust between users,battery life, energy consumption, and buffer capacity aresubject to further study and are beyond the scope of thispaper.
The majority of routing studies in encounter-based net-works usually assume ideal node characteristics, includingfull node cooperation and always-on behavior. However, inrealistic scenarios, nodes do not always cooperate withothers and may be off most of the time [5]. In worm prop-agation studies, many works have also assumed that allnodes are susceptible (i.e., not immune) to worm infection.An immune node does not cooperate with infected nodesand is not infected. To investigate more realistic scenarios,we propose to study mobile node characteristics and ana-lyze the impact of cooperation, immunization, and on–offbehavior on the worm interactions. Cooperation and on–off behavior are expected to have an impact on the timingof infection. Intuitively, cooperation makes the networkmore susceptible to worm attacks. Immunization, how-ever, may help reduce overall infection level. This paperexamines the validity of these expectations, using theoverall infection level and timing of infection as metrics(see Section 3.3).
We consider several important network characteristics,including node sizes, contact rate, group behaviors, andbatch arrival. Using realistic mobile network measure-ments, we find that encounters are ‘‘bursty”, multi-group,and non-uniform.
Most worm propagation studies have only focused onthe instantaneous number of infected nodes as a metric.We believe that additional systematic metrics are neededto study worm response mechanisms. We utilize new met-rics, including total prey-infected nodes, maximum prey-infected nodes, total prey lifespan, average individual prey
lifespan, time to secure all nodes, and time to remove allpreys to quantify the effectiveness of worm interaction.
In this paper, we attempt to answer the following ques-tions: How can we model this war of the worms systemi-cally based on worm interaction factors including worminteraction types, node characteristics, and network char-acteristics? What type of worm interaction, conditions ofnetwork, and node characteristics can alleviate the levelof worm infection? How do worms interact in realisticmobility scenarios? This worm interaction model can beextended to support more complicated current and futureworm interactions in encounter-based networks.
Our main contribution in this paper is a new worminteraction model, focusing on worm interaction types, net-work characteristics, and node characteristics in encoun-ter-based networks. We also use new metrics to quantifythe effectiveness of worm interactions, and our proposedmetrics are applicable to study any worm response mech-anism. We also provide the first study of worm propaga-tion based on real mobile measurements.
Following is an outline of the remainder of the paper.We discuss related work in Section 2. In Section 3, we ex-plain the basic definitions of our model, the metrics, worminteraction types, network characteristics, node character-istics, and the general model. We then analyze and evalu-ate worm interactions in both uniform and realisticencounter networks in Section 4. In Section 5, we concludeour work and discuss the future work.
2. Related work
Worm-like message propagation or epidemic routinghas been studied for delay-tolerant network applications[11,13,15]. As in worm propagation, a sender in this rout-ing protocol spreads messages to all nodes in close proxim-ity, and those nodes repeatedly spread the copies ofmessages until the messages reach a destination, similarto generic flooding but without producing redundant mes-sages. Performance modeling for epidemic routing in de-lay-tolerant networks [13] based on ordinary differentialequations (ODE) is proposed to evaluate the delivery delay,loss probability, and power consumption. In addition, theconcept of the anti-packet is proposed to stop unnecessaryoverhead from forwarding extra copies of the packets afterthe destination has received the packets. This can be con-sidered as a special case of non-zero delay of aggressiveone-sided interaction (see Section 3.2, which we considerin our model.
Epidemic models, a set of ODEs, have been used to de-scribe the spread of contagious diseases, including the SI,SIS, SIR SIRS, SEIR, and SEIRS models [4,10] in which S, I, E,R stand for Susceptible, Infected, Exposed, and Recoveredstates, respectively. There is an analogy between computerworm infection and disease spread in that both depend onthe node’s state and encounter pattern. For Internetworms, several worm propagation models have beeninvestigated in earlier works [2,6,8,18]. Few works[1,9,11] have considered worm interaction among differentworm types. Our work, in contrast, focuses on understand-ing how we can systemically categorize and model worm
2 S. Tanachaiwiwat, A. Helmy / Ad Hoc Networks xxx (2009) xxx–xxx
ARTICLE IN PRESS
Please cite this article in press as: S. Tanachaiwiwat, A. Helmy, Encounter-based worms: Analysis and defense, Ad HocNetw. (2009), doi:10.1016/j.adhoc.2009.02.004
propagation based on worm interaction types, networkcharacteristics, and node characteristics in encounter-based networks.
In [1], the authors suggested modifying existingworms such as Code Red, Slammer, and Blaster to termi-nate the original worm types. In this paper, we model thisas aggressive one-sided worm interaction. Other activedefenses, such as automatic patching, were also investi-gated in [16]. Their work assumed a patch server andoverlay network architecture for Internet defense. Weprovide a mathematical model that can explain thebehavior of automatically generated beneficial wormsand automatic patch distribution using one-sided worminteraction in encounter-based networks. The effect ofimmunization on Internet worms was modeled in [8]based on the SIR model.
In our previous work [12] and this paper, we discuss theencounter-based worm problem and show trace-basedsimulation results compared with the model. However, in[12], we only focused on node characteristics in aggressiveone-sided interaction types (one of the worm interactiontypes). This paper explores all worm interaction factorsincluding different types of worm interactions, networkcharacteristics, and node characteristics. The mathematicalmodel presented in [12] was also very limited, while themathematical model in this paper elaborates on all worminteraction factors as well as re-susceptible transitionsand removed states. The experimental results betweenthe two studies are also drastically different. In [12], weshowed preliminary trace-based results and compared itwith our simplistic model, and we stated that the modelhad to be improved by considering realistic factors suchas group concept, batch arrival, and delay. Hence, in thispaper, we incorporate those factors into the model, andour new and comprehensive model predicts the outcomemuch more accurately.
3. Worm interaction model
We aim to build a fundamental worm propagationmodel that captures worm interaction as a key factor inuniform-encounter-based networks. Furthermore, our pro-posed model addresses and analyzes the dynamics of sus-ceptible and infected nodes over the course of time.
Because the constant removal rate in the basic SIRmodel and its variance [7,14] cannot directly portray theimpact of such interactions on multi-type worm propaga-tions, our model builds upon and extends beyond the con-ventional epidemic model to accommodate the notion ofinteraction.
The basic operation of a worm is to find susceptiblenodes to be infected, and the main goal of attackers is tohave their worms infect the largest amount of nodes inthe least amount of time, and if possible, remain unde-tected by antivirus or intrusion detection systems. Ourbeneficial worm, on the other hand, aims to eliminateopposing worms or limit the scope of the opposing worms’infection. We want to investigate the worm propagationcaused by various types of interactions as well as networkcharacteristics and node characteristics.
3.1. Definitions
3.1.1. Predator–prey relationshipsFor every worm interaction type, there are two basic
characters: predator and prey. The predator, in our casethe beneficial worm, is a worm that terminates andpatches against another worm. The prey, in our case themalicious worm, is a worm that is terminated or patchedby another worm.
A predator can also be a prey at the same time for someother type of worm. A predator can vaccinate a susceptiblenode, i.e., infect the susceptible node (vaccinated nodes be-come predator-infected nodes) and apply a patch after-wards to prevent the nodes from prey infection. Manualvaccination, however, is performed by a user or an admin-istrator by applying patches to susceptible nodes.
A termination refers to the removal of a prey from in-fected nodes by a predator, and such action causes prey-in-fected nodes to become predator-infected nodes. Theremoval by a user or an administrator, however, is referredto as manual removal.
We choose to use two generic types of interactingworms, A and B, as our basis throughout the paper. AandBcan assume the role of predator or prey depending onthe type of interactions.
3.1.2. Contact rateContact rate is the frequency of encounter for pairs of
nodes, where an encounter occurs when the two nodesare within radio range. We assume a uniform contact ratefor all pairs of nodes, their encounter behavior does not di-rectly impact each other, and both predator and prey sharethe same set of susceptible nodes. We assume that in oneencounter, the worm is successfully transferred from onenode to another (See Table 1).
3.1.3. MetricsTo gain insight and better quantify the effectiveness of
worm interaction, we propose to use the followingmetrics:
1. Total prey-infected nodes (TI): the number of nodesever infected by a prey.
2. Maximum prey-infected nodes (MI): the peak of theinstantaneous number of prey-infected nodes whereIA!0" 6 MI 6 TI.
3. Total prey lifespan (TL): the sum of time of individualnodes ever infected by a prey. It can be interpretedas the total damage by a prey.
4. Average individual prey lifespan (AL): the average life-spanof individual prey-infectednodeswhereAL 6 TL.
5. Time to secure all nodes (TA): the time required for apredator to infect all susceptible and prey nodes. Itsinverse can be interpreted as the average predatorinfection rate.
6. Time to remove all preys (TR): the time required for apredator to terminate all preys where TR 6 TA. Itsinverse can be interpreted as the prey termination rate.
TI and MI are indicators of the level of prey infection, TLand AL are the indicators of the duration of prey infection,
S. Tanachaiwiwat, A. Helmy /Ad Hoc Networks xxx (2009) xxx–xxx 3
ARTICLE IN PRESS
Please cite this article in press as: S. Tanachaiwiwat, A. Helmy, Encounter-based worms: Analysis and defense, Ad HocNetw. (2009), doi:10.1016/j.adhoc.2009.02.004
and TA and TR are the indicators of protection and recoveryrate, respectively. Our goal is to find the conditions to min-imize these metrics based on worm interaction factors, ofwhich details are discussed next.
3.2. Worm interaction factors
Our model considers three major factors that can sig-nificantly impact the worm interactions: worm interac-tion types, network characteristics, and nodecharacteristics. A worm can behave differently based onthe types of interactions (or their behaviors): aggressiveone-sided interaction, conservative one-sided interaction,or aggressive two-sided interaction [11]. In addition,underlying network characteristics including node size,contact rate, group behaviors, and batch arrivals are thekeys of worm propagation. Finally, node characteristics,including cooperation, immunization, on–off behaviorsand delay, can significantly affect the worm interactionpatterns. We start by explaining each individual worminteraction factor before we show our model that ad-dresses all of these factors.
3.2.1. Worm interaction typesWhen there is a prey, A, and a predator, B, we consider
this as a one-sided interaction. If both A and B are preda-
tors, it is denoted as a two-sided interaction. For an idealscenario, the predator wants to terminate its prey as muchas possible, as well as prevent its preys from infecting andre-infecting. To satisfy that requirement, the predator re-quires a patch or a false signature of its prey.
There are three types of interactions considered:aggressive one-sided, conservative one-sided, and aggres-sive two-sided. They are described below.
1. Aggressive one-sided interaction: In this interactiontype, a beneficial worm, the predator, has the capa-bility to terminate and patch a malicious worm,the prey, as well as vaccinate susceptible nodes.Simplified interaction between the Internet worms,e.g., Welchia and Blaster, can be represented by thismodel.
2. Conservative one-sided interaction: In a conservativeinteraction, a predator has the capability to termi-nate a prey but doesnot vaccinate susceptible nodes.Hence, the predator-infected nodes changes dependsolely on population of the prey-infected nodes.
3. Aggressive two-sided interaction: In this interactiontype, both worms assume the roles of predator andprey simultaneously. We would simply call A aspredator A and B as predator B. Predator B is capableof vaccinating susceptible nodes but is unable to
Table 1Parameters and definitions.
Parameter Definition
S; Sn Susceptible nodes: the number of nodes in the whole population that can be infected byeither prey or predator, the number of susceptible nodes of group n
S#n; S0n Number of susceptible nodes of group n that can be infected by either prey or predator,
the number of susceptible nodes of group n that can be infected by predator onlyIA; IB Prey-infected nodes: the number of nodes infected by prey in a whole population,
Predator-infected nodes: the number of nodes infected by predator in a wholepopulation
IAn; IBn Prey-infected nodes: the number of nodes infected by prey in group n, Predator-infectednodes: the number of nodes infected by predator in group n
N;N# ;Nn Total number of vulnerable nodes in the networks: it is the sum of the number ofsusceptible nodes, prey-infected nodes, and predator-infected nodes, total number ofcooperative-susceptible nodes in a whole population, total number of vulnerable nodesof group n
b;bnm Pair-wise contact rate: a frequency that a pair of nodes makes contact with each other ina whole population, a contact rate between a member in group n and a member in groupm.
d Encounter rate: the frequency that a node encounters any other node in the samenetwork
Y Initial-infected-nodes ratio: the ratio between predator-infected nodes and prey-infected nodes in the whole population at t $ 0
c Cooperation: a node’s willingness to forward messages for others in the population(fraction)
i Immunization: immune nodes (fraction) of the whole population that will not beinfected by prey
p On–off behavior: ‘‘on” nodes can participate in forwarding packets, while ‘‘off” nodescannot (probability)
d Delay: the time differences between initial prey-infected nodes and initial predator-infected nodes
a Re-susceptible: infected nodes can become susceptible againKS#1 IA1 IA2 ;KS#2 IA1 IA2 ;KS#1 IB1 IB2 ;KS#2 IB1 IB2 ;KS01 IB1 IB2
;KS02 IB1 IB2;KIA1 IB1 IB2 ;KIA2 IB1 IB2 State transition indicators: the numbers (0 or 1) used to identify the types of worm
interaction typesDS#1 ;DS#2 ;DS01
;DS02Batch arrival (and departure) rate: the rate that new vulnerable nodes join (or leave) intothe networks
kS#nS#m ; kS0nS0m ; kIAn IAm ; kIBn IBm Group transition rate: rates of susceptible nodes, susceptible nodes which are immuneto prey, prey-infected nodes, predator-infected nodes in group n become susceptiblenodes, susceptible nodes which are immune to prey, prey-infected nodes, predator-infected nodes in group m, respectively
4 S. Tanachaiwiwat, A. Helmy / Ad Hoc Networks xxx (2009) xxx–xxx
ARTICLE IN PRESS
Please cite this article in press as: S. Tanachaiwiwat, A. Helmy, Encounter-based worms: Analysis and defense, Ad HocNetw. (2009), doi:10.1016/j.adhoc.2009.02.004
remove a predator A from predator A’s infectednodes because it is blocked by predator A. Both pred-ator A and B block each other. In automated patchingsystems [16], their worm-like patch distributionfalls into this category. The automated patching thatassumes that each worm patches its own node toprevent infection from the other worm is closelyrelated to this model.
According to above worm interaction types, TI, MI, TL,AL, TA,andTR in aggressive one-sided interactions areexpected to be the lowest among those of all interactiontypes. In conservative one-sided interactions, because onlyonce-infected-by-prey nodes can be infected by a predator,TA $ 1. Similarly, for aggressive two-sided interaction, apredator cannot terminate a prey, hence TL $ AL $ TA $TR $ 1.
3.2.2. Network characteristicsNetwork characteristics represent the characteristics of
the encounter-based networks. We particularly focus onnode sizes, contact rate, group behaviors, and batch arrival.The other related characteristics, including clustering coef-ficient and average hop counts, are subject to further study.
1. Contact rate: Contact rate !b" is one of the mostimportant factors to determine the characteristicsof worm interaction. We investigate the relation-ships between b and our proposed metrics in thissection. Because contact rate is the frequency of apair of nodes encountering each other, increasingthe contact rate causes every node to encounter eachother more frequently, i.e., the time between consec-utive encounters will be reduced. Hence, we expectthat the metrics relating to times including TL, AL,TA, and TR to be reduced. However, because preyand predator share the same contact rate, TI andMI should not be different even when contact ratesare changed. In other words, if the prey infects othersusceptible nodes faster, the predator also termi-nates and patches faster as well.
(2) Node size: With the same number of initial predatorand initial prey-infected nodes and fixed b, thechange of node size !N"causes a decrease of timebetween consecutive encounters of any node toany node. Similarly, as we expect from the contactrate, varying node sizes can have a significantimpact on TL, AL, TA, and TR.
(3) Group behavior: Multi-group encounters, of whichthe group is classified by its encounter patternsand contact rates, are expected in encounter-basednetworks. For two-group modeling, we need threedifferent contact rates: two intra-contact rates forencounters within each group, and one inter-contactrate for encounters between groups. For n groups,
we need n intra-contact rates andn2
0
@
1
Ainter-con-
tact rates. The effects of group sizes and contactrates of the individual group and between groupsare investigated.
(4) Batch arrival: Nodes may join the networks simulta-neously as a ‘‘batch arrival”. This can be modeled asthe ‘‘birth” of the population. We assume that thosenodes enter the network only as susceptible nodes.Note that infected nodes that temporarily leaveand then join the network would not be consideredas a batch arrival. We discuss and investigate theeffect of realistic batch arrivals in Section 4.
3.2.3. Node characteristicsEach node may have different characteristics because of
differences in the user’s usage strategies, daily-life activi-ties, or level of security technology and awareness. Fourimportant node characteristics corresponding to this worminteraction factor are addressed, including cooperation,immunization, on–off behavior, and delay. We assumethese node characteristics are persistent throughout thelifetime of the networks.
1. Cooperation: Cooperation is the willingness of a nodeto forward messages (worms) to other nodes. Theopposite characteristic is known as selfishness. Intu-itively, cooperation may seem to make the networkmore vulnerable. However, unlike immunization,cooperation is expected to equally slow down bothprey and predator propagations. Hence, the effect ofcooperation is hard to anticipate. Cooperation andtrust are much correlated concepts in the computersecurity area where trust is the major key to cooper-ation. For example, highly trusted nodes will not for-ward the messages to (or accept messages from) un-trusted nodes. In this paper, we assume strong linearrelationship between cooperation and trust.
2. Immunization: Not all nodes are susceptible to theprey, either because of their heterogeneous operat-ing systems or their differences of promptness toremove the vulnerability from their machines.Hence, some nodes can be immune to prey and willslow down the overall prey infection. It is expectedto improve the overall targeted metrics mentionedearlier because immune nodes still help forwardpredators to other nodes. It is expected to have nopositive impact on TA but reduce TR simply becauseof less number of nodes are to be removed.
3. On–off behavior: A node is able to accept or forwardthe packet based on its on–off characteristics. In real-ity, devices are ‘‘on” or active only a fraction of thetime. Activity may be related to mobility. Forinstance, a mobile phone is usually on, while a lap-top is unlikely to be mobile while on.1 We modelthe transition from on to off, and vice versa, probabi-listically. The probability is determined at thebeginning of each time interval. Hence, the contactrate is expected to be proportionally reduced accord-ing to the probability that the node cannot forward oraccept the packets because of the on–off status.
1 This is observed from measurements [15] and is captured in our studyusing trace-driven simulations.
S. Tanachaiwiwat, A. Helmy /Ad Hoc Networks xxx (2009) xxx–xxx 5
ARTICLE IN PRESS
Please cite this article in press as: S. Tanachaiwiwat, A. Helmy, Encounter-based worms: Analysis and defense, Ad HocNetw. (2009), doi:10.1016/j.adhoc.2009.02.004
4. Delay: Initial prey-infected nodes and initial preda-tor-infected nodes may start their infections in thenetworks at different times (depending on prey tim-ers or security architecture of the predator). The gapbetween those times can be significant. If initialprey-infected nodes start infecting susceptiblenodes in the network earlier than initial predator-infected nodes start vaccination and termination,we can expect the increase of TI, MI, AL, TA, TL, andTR, and opposite results are expected if the orderof their start times is reversed.
3.3. General worm interaction model
Assume that there are g groups in the network. Let bnm
be the contact rate between members of group n and groupm!bnn is the contact rate within group n", and Sn is thenumber of susceptible nodes of group n (at time t" where1 6 m;n 6 g. Let c be the fraction of Nn that is willingto be cooperative, where 0 6 c 6 1 and Nn is the totalnumber of nodes in the networks for group n. Let i be thefraction of cooperative nodes that are immune to the prey,where 0 6 i 6 1. Let IAn and IBn be the number of prey-in-fected nodes and predator-infected nodes for group n,respectively. If we assume that the initial predator-in-fected and initial prey-infected nodes (t = 0) are coopera-tive, then the number of susceptible nodes for both preyand predator is S#n, where S#n!0" $ c!1% i"Nn % IAn!0" forgroup n and the number of susceptible nodes for the pred-ator only is S0n, where S0n!0" $ ciNn % IBn!0" for group n. Notethat Nn $ S#n & S0n & IAn & IBn and Sn $ S#n & S0n. We define theprobability of ‘‘on” behavior as p and ‘‘off” behavior as1 % p, where 0 6 p 6 1. Hence, the contact rate betweengroup n and m for both predator and prey is pbnm. Let dbethe delay between the initial prey-infected node(s) and theinitial predator-infected node(s) (assume that all initialpredator-infected (prey-infected) nodes start infection atthe same time); then IAn!t" P 1 iif t P 0 and IBn!t" P 1iif t P d: For simplicity and brevity, let us assume thatthe number of groups in the network is 2. Fig. 1a showsthe state diagram of our model.
Let KS#1IA1 IA2;KS#2 IA1IA2
;KS#1IB1 IB2;KS#2 IB1 IB2
;KS01 IB1 IB2;KS02 IB1 IB2
;KIA1IB1 IB2 and KIA2 IB1 IB2 be the state transition indicator fromS#1 to either IA1 or IA2, where KS#1 IA1 IA2
2 f0;1g, from S#2 toeither IA1 or IA2 where KS#2IA1 IA2 2 f0;1g, from S#1 to eitherIB1 or IB2 where KS#1IB1 IB2
2 f0;1g, from S#2 to either IB1 orIB2 where KS#2 IB1 IB2 2 f0;1g, from S01 to either IB1 or IB2where KS01 IB1 IB2
2 f0;1g, from S02 to either IB1 or IB2 whereKS02IB1 IB2
2 f0;1g, from IA1 to either IB1 or IB2 whereKIA1IB1 IB2 2 f0;1g, and from IA2 to either IB1 or IB2 whereKIA2IB1 IB2 2 f0;1g, respectively. Let a be the rate that prey-in-fected or predator-infected nodes become susceptibleagain (a can also be different between prey and predator).The state transition indicators and aare used to identify thetypes of worm interactions. Let c be the manual removalrate and cS be the manual vaccination rate.
For the aggressive one-sided interaction, KS#1 IA1IA2$
KS#2IA1 IA2$ KS#1 IB1 IB2
$ KS#1IB1 IB2$ KS01 IB1 IB2
$ KS02 IB1IB2$ KIA1 IB1 IB2 $
KIA2IB1 IB2 $ 1 and a $ 0, for the conservative one-sided inter-action, KS#1 IA1 IA2
the group transition rates from S#1 to S#2; S#2 to S#1; S
01 to
S02; S02 to S01; IA1 toIA2; IA2 to IA1; IB1 to IB2, and IB2 toIB1, respec-
tively. Let DS#1;DS#2
;DS01, and DS02
be the batch arrival rates forS#1; S
#2; S
01, and S02, respectively.
The susceptible nodes’ decrease rate is determined bymanual vaccination and the contact of susceptible nodeswith the prey-infected nodes (from the same or differentgroup) causing the prey infection or with the predator-in-fected nodes (from the same or different group) causingthe vaccination. On the other hand, the re-susceptible (in-fected nodes become susceptible again2) rate causes the in-crease for susceptible nodes. In addition, the number ofsusceptible nodes within each group can be changed dueto the group transitions and batch arrival. Hence, the suscep-tible rates of group 1 and 2 are
Since the prey relies on susceptible nodes to expand itspopulation, the increase of prey infection rate is deter-mined by the contacts of susceptible nodes and prey-in-fected nodes. The decrease of prey infection rate isdetermined by prey termination caused by the contactsof prey-infected nodes and predator-infected nodes, themanual removal rate, and the re-susceptible rate. Theother factors such as group transition and batch arrivalare also applied to the prey infection rate. Hence, the preyinfection rates for group 1 and 2 are
Because the predator can terminate its prey as well as vac-cinate susceptible nodes, the increase of predator infection
2 Some worms only reside in memory, and disappear after restart of thecomputer
6 S. Tanachaiwiwat, A. Helmy / Ad Hoc Networks xxx (2009) xxx–xxx
ARTICLE IN PRESS
Please cite this article in press as: S. Tanachaiwiwat, A. Helmy, Encounter-based worms: Analysis and defense, Ad HocNetw. (2009), doi:10.1016/j.adhoc.2009.02.004
rate is determined by the contacts of the predator witheither the susceptible nodes or prey-infected nodes. Thedecreases of prey-infected nodes are caused by manual re-moval rate and re-susceptible rate. The predator infectionrates for group 1 and 2 are
Finally, the increase of removed nodes is caused by manualvaccination of susceptible hosts and manual removal ofprey-infected and predator-infected nodes.
Our model addresses all worm interaction factors and caneasily be extended to address other types of worms and agreater number of groups within the network. For exam-ple, the basic SIR model can also be derived from this mod-el by setting KS#1 IA1 IA2
$ 1 and b11 > 0; S#1 > 0; IA1 > 0; c > 0while setting the other parameters to 0.
4. Evaluation
In this paper, we investigate worm interaction and val-idate our model using three approaches: (1) model analy-sis, (2) uniform-encounter-based simulation, and (3)trace-driven-encounter-based simulation. Our goal is toobserve the relationships between our proposed modeland the worm interaction factors. In the model analysis,we provide basic conditions that can be used to obtainthe metrics. In the uniform-encounter-based simulation,we investigate the effect of worm interaction types, net-
(a)(b)
(c)
(d)
(e)
ASI! BAII!
BSI!
S A B
ASI! BAII!
ASI!
BSI!
AISp *! BAIIp!
BISp *!
BISp '!
Susceptible Infected with Infected with worm A, prey worm B, predator
Immune to prey
Susceptible Infected with Infected with worm A, prey worm B, predator
Immune to prey
Susceptible Infected with Infected with worm A, prey, i worm B, predator
Immune to predator Immune to prey
S
S
S
A
A
A
S’
B
B
B*
Fig. 1. (a) General worm interaction model state diagram, (b) aggressive one-sided interactions, (c) conservative one-sided interactions, (d) aggressive two-sided interaction, (e) aggressive one-sided interaction with node characteristics.
S. Tanachaiwiwat, A. Helmy /Ad Hoc Networks xxx (2009) xxx–xxx 7
ARTICLE IN PRESS
Please cite this article in press as: S. Tanachaiwiwat, A. Helmy, Encounter-based worms: Analysis and defense, Ad HocNetw. (2009), doi:10.1016/j.adhoc.2009.02.004
work characteristics, and node characteristics on a simpleuniform encounter-based network. We then evaluate ourmodel on realistic trace-driven-encounter-based simula-tions. Let us start by analyzing the proposed model.
4.1. Model analysis
For brevity, we assume that there are no transitions be-tween groups, i.e., kS#1S#2 $ kS#2S#1 $ kS01S02 $ kS02S01 $ kIA1 IA2 $kIA2IA1 $ kIB1 IB2 $ kIB2 IB1 $ 0. We focus our analysis on theaggressive one-sided interaction for two-group encoun-ter-based networks. If we want to suppress the initialinfection (dIA1dt 6 0 and dIA2
dt 6 0 at t = 0), from (3-a and 3-b), then the required conditions for this are
where IA1!0"; IA2!0"; IB1!0"; IB2!0"; S#1!0", and S#2!0" are thenumber of prey-infected nodes, predator-infected nodes,and susceptible nodes of group 1 and 2 at t = 0,respectively.
From this condition, we obtain
TI $ MI $ IA1!0" & IA2!0"; IA1!1" $ IA2!1" $ 0 !7"
where IA1!1" and IA2!1" are the number of prey-infectednodes of group 1 and 2 at t $ 1.
However, we can see from (6-a and 6-b) that the thresh-old can only be obtained from such conditions. If those
conditions cannot be met, then we can only have a certainacceptable level of infection, and TI can be derived from
Because TL is the accumulated life of an individual prey un-til the last prey has been removed by a predator whoseduration indicated by TR, we can simply derive TL basedon the numerical solutions from (3-a and 3-b) as follows:
TL $X1
t$o
!IA1!t" & IA2!t""Dt !10"
Since AL is the average lifespan for each node that has beenterminated by a predator, which is equal to the number ofnodes that are ever infected, AL can be derived from (8) and(10) as
AL $ TLTI
: !11"
We can find TA, which is derived from t, wheredS#1dt $ dS#2
dt $ dS01dt $ dS02
dt $ dIA1dt $ dIA2
dt $ dIB1dt $ dIB2
dt $ 0; S#1!0" $ IB1!t",and S#2!0" $ IB2!t", while TR is derived from t wheredIA1dt $ dIA2
dt $ 0; IA1 $ IA2 $ 0 and TA P TR P tBwhere tB isthe time of last batch arrival.
1 2 3 4 5 6 7 8 9 100
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0.9
1
Y
Nod
e F
ract
ion
TI 1Side Agg simTI 1Side Cons simTI 2Side Agg simTI 1Side Agg modelTI 1Side Cons modelTI 2Side Agg model
1 2 3 4 5 6 7 8 9 100
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0.9
1
Y
Nod
e F
ract
ion MI 1Side Agg sim
MI 1Side Cons simMI 2Side Agg simMI 1Side Agg modelMI 1Side Cons modelMI 2Side Agg model
Fig. 2. Relationships of worm characteristics with Y.
8 S. Tanachaiwiwat, A. Helmy / Ad Hoc Networks xxx (2009) xxx–xxx
ARTICLE IN PRESS
Please cite this article in press as: S. Tanachaiwiwat, A. Helmy, Encounter-based worms: Analysis and defense, Ad HocNetw. (2009), doi:10.1016/j.adhoc.2009.02.004
4.2. Uniform-encounter-based simulations
We use encounter-level simulations to simulate a sim-ple uniform encounter of 1000 mobile nodes of a uni-form-encounter-based network with no batch arrivals,and all nodes are susceptible to both prey and predator.Each simulation runs at least 1000 rounds and we plotthe median values for each position. We assume that thereis only one group in the network with b $ 5' 10%5 s%1 andtwo groups in part b.3 with b11; b12; b22 between3' 10%5 and 30' 10%5 s%1. In addition, we only assumethe aggressive one-sided worm interaction in all parts ex-cept in part a.
Before discussing our simulation results, we need todefine the important parameter, the initial-infected-noderatio, which we use for uniform-encounter-based simula-tions. Let Y be an initial-infected-node ratio of predatorto prey of the whole network,
Y (Pg
j$1IBj!0"Pgj$1IAj!0"
!12"
where g is the number of groups in the network and j is thegroup identification.
Along with the worm interaction factors, Y is used toinvestigate the outcomes of having a number of initial-predator-infected nodes more than the number of initial-prey-infected nodes within the same networks, given thatd = 0 (non-zero-delay deployment is investigated in b.3).
4.2.1. Worm interaction typesAs shown in Fig. 2, we can clearly see that the predator
in aggressive one-sided interactions is muchmore effectivethan the predator in the other two worm interaction typesfor all metrics. Note that we have not shown TA for conser-vative one-sided and aggressive two-sided worm interac-tion because TA $ 1, and also did not show TR, TL, andALfor aggressive two-sided worm interaction becauseTL $ AL $ TR $ 1. Although TI, MI, TL, andAL in the conser-vative one-sided interaction is at least one order higherthan those of aggressive one-sided interactions, TR in theconservative one-sided interaction is only two times high-er than that of aggressive one-sided interaction (with thesame Y". This small difference occurs simply because evenwith aggressive one-sided interaction, the predator infec-
tion rate is slowed down at the later state of the termina-tion/vaccination period. The simplified model foraggressive one-sided, conservative one-sided, and aggres-sive two-sided worm interactions are shown in Fig. 1b-d,respectively.
Next, we focus on the effects of large Yon our metricsonly with the aggressive one-sided interaction. In Fig. 3a,TI and MI decrease exponentially as Y increases. We also findthat if S!0" : IB!0" : IA!0" is constant, then MI : N and TI : Nare also constant even if N changes. From Fig. 3b, TL de-creases exponentially as Y increases. AL, on the other hand,is almost constant for all Y. It is interesting to see that TLand AL merge at their minimum when Y $ Y##
max. We cansee that TLmin and ALmin do not reach zero at Ymax becausethe next encounter time of a prey-infected node with anyof initial predator-infected nodes !IB!0"" requires 1=IB!0"b.Furthermore, from (11), TLmin $ TIminALmin, thus TLmin andALmin merge to each other because TImin $ IA!0" $ 1.
Fig. 3c shows that TR decreases much faster than TAwith an increase of Y. TR decreases exponentially as Yincreases. TA begins to be reduced rapidly when Y ) Ymax.At Ymax, we can see that TAmin $ TRmin $ ALmin, Note thatTAis also similar to the average time for every node to receivea copy of a message from a random source in an encounter-based network, which can be derived as !2 lnN&0:5772"=Nb [3] !##Ymax $ 1000".
4.2.2. Network characteristicsWe start by examining the relationships of the aggres-
sive one-sided interaction and the network characteristics:node size, contact rate, and group behavior. For contactrate and node size, we simply assume that the networkonly has one group in order to focus only on the effectsof these factors on our metrics. After that, we would lookdeeper into the group behaviors including group size, con-tact rate within a group, and the contact rate betweengroups.
1. Network size: In Fig. 4a and b, we find that TI and MI(as the fraction of N" for each Y but different Naresaturated at the same fraction of N. This is becausethe fraction of N that the prey infects susceptiblenodes and the fraction of N that the predator termi-nates/vaccinates are relatively equivalent for all Ns.Surprisingly, in Fig. 4c, TL becomes saturated at a
100 101 102 10310-3
10-2
10-1
100
Y
N (F
ract
ion)
TI simMI simTI modelMI model
100 101 102 103101
102
103
104
105
Y
Tim
e (S
ec)
TL simAL simTL modelAL model
100 101 102 103101
102
103
Y
Tim
e (S
ec)
TA simTR simTA modelTR model
)c()b()a(
Fig. 3. Relationships of aggressive one-side interaction with Y.
S. Tanachaiwiwat, A. Helmy /Ad Hoc Networks xxx (2009) xxx–xxx 9
ARTICLE IN PRESS
Please cite this article in press as: S. Tanachaiwiwat, A. Helmy, Encounter-based worms: Analysis and defense, Ad HocNetw. (2009), doi:10.1016/j.adhoc.2009.02.004
certain absolute level and is also independent of Nbut depends only on Y. This occurs because theencounter rate !d", which is the rate that a nodeencounters any node (i.e., d $ b!N % 1"" increases lin-early with N (because b is fixed, but the number ofpairs N % 1 increases as N increases) and causes alinear reduction of the time between encounter,causing ALto be reduced proportionally to N (asshown in Fig. 4d) while TI is alsoincreased propor-tionally toN (as shown in Fig. 4a). The product ofthese two numbers yields the constant TL. InFig. 4e and f, the impact of N on TA and TR is quitesimilar to AL. It is interesting to see that for Y = 1(1:1), TA $ TR for all N, and hence this implies thatthe time to remove all preys is simply the time thata predator needs to infect and remove the prey fromall nodes (when Y $ 1). In summary, we can see thatN linearly increases TI and MI and exponentiallyreduces AL, TA, and TR. The effects of Nn (group size)are further investigated in part c.3.
2. Contact rate: As shown in Fig. 5a and b, as expected,TI and MI for each Yare relatively constant even withthe increase of b (because of the equal change ofdIA=dt and dIB=dt". Similar to N, as the d increases(fixed number of pairs N % 1, but b increases), andb exponentially decreases AL, TA, andTR. However,unlike N; TL is reduced exponentially as b increases,simply because TI is constant for all b. In addition,the lower theY, the greater the impact caused by bwill be. The effects of contact rate of multiple groupsare examined next.
3. Group behavior: Earlier, we only assumed single-group behavior in a network; in this part, we willdiscuss the two-group behavior. Here we look into
the effect of group size, the contact rate of one ofthe two groups, and the contact rate between twogroups on the worm interactions.
We begin by investigating the effects of group sizes asthe fraction of fixed N (1000 nodes) whereb11 $ 6' 10%5 s%1; b22 $ 9' 10%5 s%1, and b12 $ 3' 10%5
s%1. Group 1 and group 2 are called the ‘‘slow group” and‘‘fast group”, respectively. For the first part (Fig. 6a–c), aninitial prey-infected node is in the slow group and an initialpredator-infected node is in the fast group (slow-prey-fast-predator case). In the second part (Fig. 6d–f), an initialprey-infected host is in the fast group and an initial pred-ator-infected node is in the slow group (fast-prey-slow-predator case).
In Fig. 6a and d, we see that as the size of the fast groupincreases, TI, MI, and TL linearly decrease. This indicates theindependence of which group has the initial predator-in-fected node or the initial prey-infected node. As TI andTLlinearly decrease with the same rate as the increase ofthe fast-group size, then AL is almost constant for all groupsizes. TA and TR increase gradually as the slow-group sizeincreases (and the fast-group size decreases), and dropgradually after reaching their peak value. This occurs be-cause of the low contact rate between groups.
In Fig. 7, we show the impact of the contact rate of theinitial-prey-infected-node group where the contact rate ofthe initial prey group b11 $ 3—30' 10%5 s%1, the contactrate of the initial predator group b22 $ 15' 10%5 s%1, andthe contact rate between group b12 $ 3' 10%5 s%1. As ex-pected, TI, MI, and TL increase linearly as b11 increases,while TA and TR decrease exponentially as b11 increases.This effect is similar to the increase of contact rate in a sin-gle group (fig. 5e–f).
100 200 300 400 500 600 700 800 9000
0.05
0.1
0.15
0.2
0.25
0.3
0.35
0.4
N
Nod
e F
ract
ion TI Y=1:1 sim
TI Y=3:1 simTI Y=5:1 simTI Y=1:1 modelTI Y=3:1 modelTI Y=5:1model
100 200 300 400 500 600 700 800 9000
0.02
0.04
0.06
0.08
0.1
0.12
0.14
0.16
0.18
N
Nod
e F
ract
ion MI Y=1:1 simMI Y=3:1 simMI Y=5:1 simMI Y=1:1 modelMI Y=3:1 modelMI Y=5:1 model
10 S. Tanachaiwiwat, A. Helmy / Ad Hoc Networks xxx (2009) xxx–xxx
ARTICLE IN PRESS
Please cite this article in press as: S. Tanachaiwiwat, A. Helmy, Encounter-based worms: Analysis and defense, Ad HocNetw. (2009), doi:10.1016/j.adhoc.2009.02.004
In Fig. 8, we show the impact of the contact betweengroups where b11 $ 3' 10%5 s%1; b22 $ 15' 10%5 s%1, andb12 $ 3–30' 10%5 s%1. As shown in Fig. 8a and b, as b12 in-
creases, the prey in the slow-prey-fast-predator can infectmore susceptible nodes and the predator in the fast preyslow predator can terminate more preys and vaccinate
0 0.2 0.4 0.6 0.8 10
0.1
0.2
0.3
0.4
0.5
Initial Pre Grou Fraction Slow
Prey
Infe
cted
Hos
ts (F
ract
ion)
TI simMI simTI modelMI model
0 0.2 0.4 0.6 0.8 1101
102
103
104
105
Initial Pre Grou Fraction Slow
Initial Pre Grou Fraction Slow
Tim
e (S
ec)
TL simAL simTL modelAL model
0 0.2 0.4 0.6 0.8 1150
200
250
300
350
Initial Prey Group Fraction (Slow)
Tim
e (S
ec)
TA simTR simTA modelTR model
)c( )b( )a(
0 0.2 0.4 0.6 0.8 10.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
Initial Prey Group Fraction (Fast)
Prey
Infe
cted
Hos
ts (F
ract
ion) TI sim
MI simTI modelMI model
0 0.2 0.4 0.6 0.8 1101
102
103
104
105
Tim
e (S
ec)
TL simAL simTL modelAL model
0 0.2 0.4 0.6 0.8 1200
220
240
260
280
300
320
340
360
Initial Prey Group Fraction (Fast)
Tim
e (S
ec)
TA simTR simTA modelTR model
)f( )e( )d(
Fig. 6. Effects of group size in two-group population: slow group !contact rate $ 6' 10%5 s%1" and fast groups (contact rate = 9' 10%5 s%1 and contact ratebetween group =3' 10%5 s%1" for slow prey fast predator (a, c and e) and fast prey slow predator (b, d and f) models.
10 15 20 25 30 35 40 45 500.05
0.1
0.15
0.2
0.25
0.3
0.35
0.4
! (x10-5)
! (x10-5)
! (x10-5)
! (x10-5)
! (x10-5)
! (x10-5)
Nod
e Fr
actio
n
TI Y=1:1 simTI Y=3:1 simTI Y=5:1 simTI Y=1:1 modelTI Y=3:1 modelTI Y=5:1 model
10 15 20 25 30 35 40 45 500.02
0.04
0.06
0.08
0.1
0.12
0.14
0.16
0.18
0.2
Nod
e Fr
actio
MI Y=1:1 simMI Y=3:1 simMI Y=5:1 simMI Y=1:1 modelMI Y=3:1 modelMI Y=5:1 model
S. Tanachaiwiwat, A. Helmy /Ad Hoc Networks xxx (2009) xxx–xxx 11
ARTICLE IN PRESS
Please cite this article in press as: S. Tanachaiwiwat, A. Helmy, Encounter-based worms: Analysis and defense, Ad HocNetw. (2009), doi:10.1016/j.adhoc.2009.02.004
more susceptible nodes (as indicated by TI and MI). Hence,the contact rate between groups only helps the prey or pred-ator in the slower group to infect relatively more nodes thanthe one in the faster group (i.e., worms in both groups in-fect nodes faster, but the one in slower group has higherrelative improvement). However, TL, AL, TA, and TR de-crease as the contact rate between the group increasesfor all cases (slow-prey-fast-predator and fast-prey-slow-predator cases), and because d increases. We evaluate thegroup characteristics again in trace-driven encounter-based networks (Section 4.3).
4.2.3. Node characteristicsWe vary the cooperation !c" from 20% to 100%, the
immunization !i" from 0% to 90% with 100% ‘‘on” time for
the first part of experiments (Fig. 9a–f), and we vary the‘‘on” time from 10% to 90% with 90% cooperation and 10%immunization, for the second part (Fig. 9g–h). The first partaims to analyze the impact of cooperation and immuniza-tion, whereas the second part aims to analyze the on–offbehavior on aggressive one-sided worm interaction. In thissimulation, again we assume only a single group within thenetwork. Simplified node-characteristic-based aggressiveone-sided interaction is shown in Fig. 1e.
1. Cooperation: In Fig. 9a-f, we find that cooperationsurprisingly reduces prey infection for every metric.(Note that cooperation actually increases absolute TIand absolute MI, but relative TI (or TI=N#) and rela-tive MI (or MI=N#) are decreased where the number
0 10 20 300
0.05
0.1
0.15
0.2
0.25
0.3
0.35
Contact Rate Between Grou p (x10-5) Contact Rate Between Grou p (x10-5) Contact Rate Between Grou p (x10-5)
Pre
y In
fect
ed H
osts
(F
ract
ion)
TI simMI simTI modelMI model
0 10 20 30
101
102
103
104
Tim
e (S
ec)
TL simAL simTL modelAL model
0 10 20 30
50
100
150
200
250
300
350
Tim
e (S
ec)
TA simTR simTA modelTR model
Contact Rate Between Grou p (x10-5)Contact Rate Between Grou p (x10-5)Contact Rate Between Grou p (x10-5)
)c( )b( )a(
0 10 20 300.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
Pre
y In
fect
ed H
osts
(F
ract
ion)
TI simMI simTI modelMI model
0 5 10 15 20 25 30101
102
103
104
105
Tim
e (S
ec)
TL simAL simTL modelAL model
0 5 10 15 20 25 3050
100
150
200
250
300
350
400
Tim
e (S
ec)
TA simTR simTA modelTR model
)f( )e( )d(
Fig. 8. Effects of contact rate between groups of a two-group population: slow group (contact rate = 3' 10%5 s%1) and fast encountered groups (contactrate = 15' 10%5 s%1and contact rate between group = 3–30' 10%5 s%1) for slow prey fast predator (a, c and e) and fast prey slow predator (b, d and f).
0 10 20 300
0.1
0.2
0.3
0.4
0.5
0.6
0.7
Contact Rate of Initial Prey Group (x10-5) Contact Rate of Initial Prey Group (x10-5) Contact Rate of Initial Prey Group (x10-5)
Pre
y In
fect
ed H
osts
(F
ract
ion) T1 sim
M1 simT1 modelM1 model
0 5 10 15 20 25 3010
1
102
103
104
105
Tim
e (S
ec)
TL simAL simTL modelAL model
0 10 20 30100
150
200
250
300
350
Tim
e (S
ec)
TA simTR simTA modelTR model
)c()b()a(
Fig. 7. Effects of initial-prey-infected-node group’s contact rate in a two-group population: varied-contact-rate of initial-prey-infected-node group(contact rate $ 3—30' 10%5 s%1" and fixed-contact-rate of initial predator group (contact rate = 15' 10%5 s%1and contact rate betweengroup = 3' 10%5 s%1).
12 S. Tanachaiwiwat, A. Helmy / Ad Hoc Networks xxx (2009) xxx–xxx
ARTICLE IN PRESS
Please cite this article in press as: S. Tanachaiwiwat, A. Helmy, Encounter-based worms: Analysis and defense, Ad HocNetw. (2009), doi:10.1016/j.adhoc.2009.02.004
of cooperative-susceptible nodes N# $ c!1% i"N".Wecan observe that cooperation reduces AL, TA, andTRsignificantly more than it does to TI, MI, and TL.
2. Immunization: Similarly, for immunization Fig. 9a-fshows that immunization reduces all categories ofmetrics except TA and AL. With the increase of
immunization, TI is reduced much faster than TL;thus an increase of immunization increases AL. Fur-thermore, an increase of immunization, as expected,reduces TR because of a smaller number of possibleprey-infected nodes.Immunization reduces relativeTI, relative MI, and TL more significantly than it does
TA C100 I0 simTR C100 I0 simTA C100 I0 modelTR C100 I0 model
)k()j()i(
Fig. 9. Effects of cooperation !c", immunization !i", on–off behavior !p", and delay !d" on uniform-encounter worm interactions.
S. Tanachaiwiwat, A. Helmy /Ad Hoc Networks xxx (2009) xxx–xxx 13
ARTICLE IN PRESS
Please cite this article in press as: S. Tanachaiwiwat, A. Helmy, Encounter-based worms: Analysis and defense, Ad HocNetw. (2009), doi:10.1016/j.adhoc.2009.02.004
Fig. 10. Trace-based statistics and simulation results: histograms of (a) total encounter/node, (b) unique encounter/node and (c) batch arrival pattern, andeffects on cooperation !c" and immunization !i" on TI, MI, TL, AL, TA, and TR in non-uniform-encounter worm interaction, in (d)–(i) initial predator-infectedhosts in slow contact-rate and late group, (j)–(o) initial predator-infected hosts in fast contact-rate and early group.
14 S. Tanachaiwiwat, A. Helmy / Ad Hoc Networks xxx (2009) xxx–xxx
ARTICLE IN PRESS
Please cite this article in press as: S. Tanachaiwiwat, A. Helmy, Encounter-based worms: Analysis and defense, Ad HocNetw. (2009), doi:10.1016/j.adhoc.2009.02.004
TR. With an equal increase (20–80%), immunizationat cooperation = 100% reduces relative TI, relativeMI, and TL approximately 8.8 times, 2.7 times, and10.6 times, respectively, more than cooperation doesat immunization = 0%. On the other hand, coopera-tion reduces TR approximately 3.3 times more thanimmunization does.As shown in Fig. 9e, unlike coop-eration, immunization cannot reduce TA.
3. On–off behavior: The impact of on–off behavior !p" isclear in Fig. 9g-h. As expected, with varying ‘‘on”time, relative TI and relative MI do not change. Theratio of contact rate between predator and prey isan indicator of the fraction of infected nodes irre-spective of the contact rate. In this case, the ratioof the contact rate is always 1.0, and hence relativeTI and relative MI are constant. Because of theincrease of ‘‘on” time causing a reduction of timebetween consecutive encounters between nodes,TL, AL TA, and TR exponentially decrease as p increases.
4. Delay: As shown in Fig. 9i, the delay !d" causes abso-lute TI and absolute MI to linearly increase until thenumber of prey-infected node reaches the N. Simi-larly, in Fig. 9k, TA and TR also increase linearly as dincreases. The increase of TA and TR is simply thedelay. In addition, TA and TR merge after a certaindelay.TLandAL slowly increaseasd increases (Fig. 9j).
Next, we will apply what we have learned from the sim-ulation of worm interaction in the uniform-encounter-based networks to realistic non-uniform encounter-basednetworks.
4.3. Trace-driven encounter-based simulations
We investigate the consistency of the model-based re-sults with those generated using measurement-based realencounters. We drive our encounter-level simulationsusing the wireless network traces of the University ofSouthern California from 62 days in the spring 2006semester [5]. We define an encounter as two nodes sharingthe same access point at the same time. We randomlychoose 1,000 random nodes from the 5000 most activenodes based on their online time from the trace. Theirmedian b is 1:27' 10%6 s%1 and the median number of un-ique encounter nodes is 94. We use IA!0" $ 1 and IB!d" $ 1,where dis the delay between the initial predator-infectednode and the initial prey-infected node in the simulation.This delay was introduced as the traced delay betweenthe first arrival of two groups, where the initial predator-infected node and the initial prey-infected node are as-sumed to be in different groups (and different batch arriv-als). The first group and second group account forapproximately 90% and 10% of total population, respec-tively. The first group has an average contact rateb11 $ 3:6' 10%6 s%1, the second group has an average con-tact rate b22 $ 3:3' 10%6 s%1, and the approximate contactrate between the groups b12 $ 4' 10%7 s%1. When the con-tact rate of the initial predator-infected node is higher thanthat of the initial prey-infected node, we call this scenario‘‘Fast predator”. On the other hand, when the contact rate ofthe initial predator-infected node is lower than that of the
prey, we call this scenario ‘‘Slow predator”. From the trace,the median arrival delay between the initial predator-in-fected node and the initial prey-infected node is 8.7 days(introduced by the gap between the first and the secondbatch arrivals). Because the first group is in the first batch,‘‘Fast predator” is also the early predator and ‘‘Slow preda-tor” is also the late predator.
We can see the consistent batch arrival pattern inFig. 7c, where each line represents a different start new-node arrival time into the networks, i.e., day 0, 10, 20,and 30, where day 0 is January 25, 2006. At the beginningof the semester, not all students had returned to campus;hence, the large gap between batch arrivals existed. Thesmaller gaps (1 day) in other start days were caused bythe university’s schedule, which has classes either on Tues-day–Thursday or Monday–Wednesday–Friday. Hence, thebatch arrival patterns are likely to occur in any encounter-based networks due to the users’ schedules. In addition, inFig. 10a and b, we find that a user’s encounter in the traceis highly skewed (non-uniform), i.e., the top 20% of a user’stotal encounter accounts for 72% of all users’ encounters,and 70% of users encounter less than 20% of total uniqueusers, which are caused by non-uniform on–off behaviorand location preferences [5,6].
We choose to run our trace-driven simulations at day 0to determine the significance of batch arrival patterns onworm interactions. To validate our model accuracy, wecompare the trace-driven simulation results with ouraggressive one-sided model with node characteristics andgroup behavior. We also apply the batch arrival and delayto our model and compare the trace-driven simulation re-sults with our model plot.
In our model, we use b11 $ 3:6' 10%6; b22 $ 3:3' 10%6;b12 $ 4' 10%7with t1= day 8.7 (second batch arrival, 395nodes join group 1, 50 nodes join group 2), t2 = day 8.71(all predator-infected nodes leaving the networks),t3 = day 11.57 (predator-infected nodes rejoin the net-works), t4 = day 17.4 (third batch arrival, 50 nodes joingroup 2), t4 = day 40.5 (fourth batch arrival, 5 nodes joingroup 2). These batch arrival patterns are approximatedfrom the observed trace and simulations.
In Fig. 10f–i and l–o, these batch arrival patterns and thedelay cause significant additions to our proposed metrics,especially TL, AL, TA, and TR (TA is subject to the time ofthe last-node arrival). In addition, we find that immuniza-tion (i" is still a very important factor to reduce relative TI,relative MI, TL, andTR, in the‘‘Slow predator” case, but itdoes not have much impact in the ‘‘Fast predator” case,since there is not much room for improvement (exceptTL). However, unlike uniform-encounter worm interaction,we find thatcooperation only helps reduce relative TI, relativeMI, TL, AL, and TR in the ‘‘Fast predator” case.
In Fig. 10d–f, relative TI,relative MI, and TL with ‘‘Slowpredator” almost linearly decrease to zero with an increaseof i. Hence, large immunization can offset large delay. Sur-prisingly, as shown in Fig. 10g and m, AL with ‘‘Fast preda-tor” did not show significant improvement over AL with‘‘Slow predator”.
Our model seems to more accurately predict the met-rics in the ‘‘Slow predator” case, in which the delay andbatch arrival patterns are the major factors. On the other
S. Tanachaiwiwat, A. Helmy /Ad Hoc Networks xxx (2009) xxx–xxx 15
ARTICLE IN PRESS
Please cite this article in press as: S. Tanachaiwiwat, A. Helmy, Encounter-based worms: Analysis and defense, Ad HocNetw. (2009), doi:10.1016/j.adhoc.2009.02.004
hand, for the ‘‘Fast predator”, TI and MI (Fig. 10j–k) aremore sensitive to fine-grained non-uniform encounter pat-terns in which we simplify them to only two-groupencounters. With the number of groups precisely esti-mated, the accuracy of the metrics estimations can bedrastically improved.
5. Summary and future work
In this paper, we propose a general worm interactionmodel addressing worm interaction types, network charac-teristics, and node characteristics for encounter-based net-works. In addition, new metrics as a performanceevaluation framework for worm interactions are proposed.We find that a predator is most effective in aggressive one-sided worm interaction. In addition, we find that in uni-form and realistic encounter-based networks, immuniza-tion and delay are the most influential nodecharacteristics for total prey-infected nodes, maximumprey-infected nodes, and total prey lifespan. Cooperationand on–off behaviors greatly affect average individual preylifespan, time to secure all nodes, and time to remove allpreys in uniform encounter-based networks. Furthermore,for multi-group uniform-encounter-based networks, largegroup size with fast contact rate helps limit total prey-in-fected nodes and maximum prey-infected nodes. Fast con-tact rates between groups reduce average individual preylifespan, time to secure all nodes, and time to remove allpreys. Our model shows very good agreement with uni-form-encounter simulation results.
Based on realistic mobile networks measurements, wefind that batch arrivals are common in the trace and arelikely to take place in any encounter-based networks. Inaddition, we also find that the contact rate and the numberof unique encounters of users are highly skewed. This net-work characteristic causes worm infection behavior todeviate from our predictions, even though the generaltrends remain similar to the model. We believe that ourgeneral worm interaction model can be extended to incor-porate fine-grained and dynamic user groups to enhancethe accuracy of prediction.
In such networks, immunization and timely predatordeployment seem to be more important factors than coop-eration. Hence, enforcing early immunization and having amechanism to identify a high-contact-rate group to deployan initial predator-infected node is critical to containingworm propagation in encounter-based networks. Thesefindings provide insight that we hope will aid in the devel-opment of counter-worm protocols in future encounter-based networks.
References
[1] F. Castaneda, E.C. Sezer, J. Xu, WORM vs. WORM: preliminary studyof an active counter-attack mechanism, in: ACM Workshop on RapidMalcode, 2004.
[2] Z. Chen, L. Gao, K. Kwiat, Modeling the spread of active worms, in:IEEE INFOCOM 2003.
[3] D.E. Cooper, P. Ezhilchelvan, I. Mitrani, A family of encounter-basedbroadcast protocols for mobile ad-hoc networks, in: Proceedings ofthe Wireless Systems and Mobility in Next Generation Internet. FirstInternational Workshop of the EURO-NGI Network of Excellence,Dagstuhl Castle, Germany, June 7–9 2004.
[4] W. Hsu, A. Helmy, On nodal encounter patterns in wireless LANtraces, in: The Second IEEE Int. l Workshop on Wireless NetworkMeasurement (WiNMee), April 2006.
[5] W. Hsu, A. Helmy, On modeling user associations in wireless LANtraces on university campuses, in: The Second IEEE Int. l Workshopon Wireless Network Measurement (WiNMee), April 2006.
[6] A. Ganesh, L. Massoulie, D. Towsley, The effect of network topologyon the spread of epidemics, in: IEEE INFOCOM 2005.
[7] W.O. Kermack, A.G. McKendrick, A contribution to the mathematicaltheory of epidemics, in: Proceedings of the Royal Society, vol. A115,1997, p. 700–721.
[8] D. Moore, C. Shannon, G.M. Voelker, S. Savage, Internet quarantine:requirements for containing self propagating code, in: IEEEINFOCOM, 2003.
[9] D.M. Nicol, Models and analysis of active worm defense, in:Proceeding of Mathematical Methods, Models and Architecture forComputer Networks Security Workshop, 2005.
[10] P. Szor, The Art of Computer Virus Research and Defense, SymantecPress, Berlin, 2005.
[11] S. Tanachaiwiwat, A. Helmy, Worm ecology in encounter-basednetworks, Invited Paper, in: IEEE Broadnets 2007.
[12] S.Tanachaiwiwat, A. Helmy, On the performance evaluation ofencounter-based worm interactions based on node characteristics,in: ACM CHANTS 2007, Mobicom Workshop.
[13] Trend micro annual virus report 2004 http://www.trendmicro.com.[14] H. Trottier, P. Phillippe, Deterministic modeling of infectious
diseases: theory and methods. The Internet Journal of InfectiousDiseases, ISSN: 1528–8366.
[15] A.Vahdat, D. Becker. Epidemic routing for partially connected ad hocnetworks. Technical Report CS-2000.
[16] M. Vojnovic, A.J. Ganesh, On the effectiveness of automatic patching,in: ACM WORM 2005, The Third Workshop on Rapid Malcode,George Mason University, Fairfax, VA, USA, Nov 11, 2005.
[17] X. Zhang, G. Neglia, J. Kurose, D. Towsley, Performance modeling ofepidemic routing, Elsevier Computer Networks Journal, in press.
[18] C.C. Zou, W. Gong, D. Towsley, Code red worm propagation modelingand analysis, in: Proceedings of the Ninth ACM CCS 2002.
Sapon Tanachaiwiwat holds a B.S. in Electri-cal Engineering from the Mahidol University,Bangkok; a M.S. in Electrical Engineering, anda Ph.D. in Computer Engineering, both fromthe University of Southern California. Hisdoctoral dissertation focuses on the analysisof worm propagations and interactions inwired and wireless computer networks. Hehas participated in the ACQUIRE project(Active Query in Wireless Sensor Networks)funded by the National Science Foundation.His main research interests are in modeling,
designing and implementing algorithms and protocols for large-scaledsimulation and real-time systems. He is a project manager at the Inno-vative Scheduling, Inc. He is currently involved in building a decisionsupport system for routing of locomotives to shops for quarterly main-tenances. This project involves developing and implementing algorithmsfor real-time routing of locomotives to shops such that locomotives reachshops just-in-time and consistent with the shop capacities.
Ahmed Helmy received the BS degree inelectronics and communications engineeringwith highest honors and the MS Eng. Math.degree from Cairo University, Egypt, in 1992and 1994, respectively, and the MS degree inelectrical engineering and the PhD degree incomputer science from the University ofSouthern California (USC) in 1995 and 1999,respectively. He is an associate professor andthe founder and director of the wireless net-working laboratory in the Computer andInformation Science and Engineering (CISE)
Department, University of Florida, Gainesville. From 1999 to 2006, he wasan assistant professor of electrical engineering (EE) at the University ofSouthern California. He was also the founder and director of the wirelessnetworking laboratory at USC. He was a key researcher in the network
16 S. Tanachaiwiwat, A. Helmy / Ad Hoc Networks xxx (2009) xxx–xxx
ARTICLE IN PRESS
Please cite this article in press as: S. Tanachaiwiwat, A. Helmy, Encounter-based worms: Analysis and defense, Ad HocNetw. (2009), doi:10.1016/j.adhoc.2009.02.004
simulator (NS-2) and the protocol independent multicast (PIM-SM) pro-jects in the Information Sciences Institute (ISI), USC. His research interestslie in the areas of network protocol design and analysis for mobile ad hocand sensor networks, mobility modeling, design and testing of multicastprotocols, IP micromobility, and network simulation. In 2002, he receivedthe US National Science Foundation (NSF) CAREER Award. In 2000, hereceived the USC Zumberge Research Award, and in 2002, he received thebest paper award from the IEEE/IFIP International Conference on Man-agement of Multimedia and Mobile Networks and Services (MMNS). In2003, he was the EE nominee for the USC Engineering Jr. Faculty Research
Award and a nominee for the Sloan Fellowship. In 2004 and 2005, he gotthe best merit ranking in the EE-USC faculty. In 2007, he was a winner inthe ACM MobiCom SRC research competition. He has been an area editorof the Adhoc Networks Journal, published by Elsevier, since 2007 (editorsince 2004). He is the co-chair for the IFIP/IEEE MMNS 2006 and IEEEINFOCOM Global Internet Workshop 2008 and the vice chair for IEEEICPADS 2006 and HiPC 2007. He has been the ACM SIGMOBILE workshopcoordination chair (for ACM MobiCom, MobiHoc, MobiSys, and SenSys)since 2006. He served on the program committees for numerous IEEE andACM conferences in the areas of computer and wireless networks.
S. Tanachaiwiwat, A. Helmy /Ad Hoc Networks xxx (2009) xxx–xxx 17
ARTICLE IN PRESS
Please cite this article in press as: S. Tanachaiwiwat, A. Helmy, Encounter-based worms: Analysis and defense, Ad HocNetw. (2009), doi:10.1016/j.adhoc.2009.02.004
